topic why no incoming traffic at all in Network Security

why no incoming traffic at all

yijunzhou — Mon, 11 Mar 2019 20:45:48 GMT

Hello,

I am configuring ASA as firewall+vpn, basically outside of appliance is T1 access(, there are 5 vlans in inside via a iptables, iptables's outside is on the same vlan as insdie of ASA (192.168.5.1 and 192.168.5.2). vpn users are authenticated via 2 factors authentication ( SDI, IP is 192.168.5.5) and get ACLs via local database. vpn pool is 192.168.6.1-192.168.6.15. vpn pool is NATed to external IP since companynmr is opened for specific IP and protocol only.

ACL INSIDE works as expected, all other ACLs not working at all (OUTSIDE, vpnuser1_ONLY, D81only, D53only,etc)

Below is the configuration. Please help me find out the problem.

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa

name 194.0.0.0 net194
name 195.0.0.0 net195
name 200.0.0.0 net200
name 201.0.0.0 net201
name 212.0.0.0 net212
name 217.0.0.0 net217
name 41.0.0.0 net41
name 62.0.0.0 net62
name 77.0.0.0 net77
name 78.0.0.0 net78
name 79.0.0.0 net79
name 83.0.0.0 net83
name 84.0.0.0 net84
name 86.0.0.0 net86
name 87.0.0.0 net87
name 88.0.0.0 net88
name 89.0.0.0 net89
name 90.0.0.0 net90
name 91.0.0.0 net91
name 92.0.0.0 net92
name 93.0.0.0 net93
name 94.0.0.0 net94
name 95.0.0.0 net95

!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.194 255.255.255.192
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring

pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.6.1-192.168.6.15 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any inside
icmp deny any outside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 4 xx.xx.xx.238 netmask 255.255.255.255
global (outside) 3 xx.xx.xx.215 netmask 255.255.255.255

global (outside) 2 xx.xx.xx.241 netmask 255.255.255.255

global (outside) 1xx.xx.xx.218 netmask 255.255.255.255

global (outside) 5 xx.xx.xx.240 netmask 255.255.255.255

nat (inside) 1 User1 255.255.255.255
nat (inside) 1 User3 255.255.255.255
nat (inside) 5 proxy240 255.255.255.255
nat (inside) 2 proxy241 255.255.255.255
nat (inside) 1 User2 255.255.255.255
nat (inside) 3 companynet52 255.255.255.0
nat (inside) 4 vpnpool 255.255.255.0 outside

timeout xlate 0:10:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server SDI protocol sdi
aaa-server SDI (inside) host 192.168.5.5
aaa authentication ssh console LOCAL
aaa authentication match INSIDE_AUTH inside SDI
aaa local authentication attempts max-fail 3
http server enable
http server idle-timeout 5
http XP 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
client-update enable
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh XP 255.255.255.255 inside
ssh timeout 5
console timeout 10
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
svc image disk0:/anyconnect-win-2.5.2019-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 8
vpn-idle-timeout 10
vpn-session-timeout 60
vpn-tunnel-protocol l2tp-ipsec
webvpn
svc keep-installer none
svc rekey time 8
svc rekey method ssl
svc ask none default svc
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-simultaneous-logins 1
vpn-idle-timeout 9
vpn-session-timeout 45
vpn-tunnel-protocol svc
split-tunnel-policy tunnelall
webvpn
svc keep-installer none
svc rekey time 25
svc rekey method ssl
svc dpd-interval client 30
svc dpd-interval gateway 30
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
svc routing-filtering-ignore disable
username vpnuser1 password xxxxx encrypted
username vpnuser1 attributes
vpn-group-policy GroupPolicy1
vpn-idle-timeout 6
vpn-session-timeout 20
vpn-filter value vpnuser1_ONLY
vpn-tunnel-protocol svc
group-lock value COMAVPN
service-type remote-access
username enable_15 password xxxxxx encrypted privilege 15
tunnel-group DefaultRAGroup webvpn-attributes
group-alias companyvpn disable
tunnel-group COMAVPN type remote-access
tunnel-group COMAVPN general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group SDI
authentication-server-group (inside) SDI
authorization-server-group LOCAL
default-group-policy GroupPolicy1
tunnel-group COMAVPN webvpn-attributes
group-alias companyremote enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

why no incoming traffic at all

Maykol Rojas — Thu, 16 Jun 2011 04:41:33 GMT

Hello,

In version 8.2 and earlier, if the traffic is coming from the outside, you will need to allow traffic to the public IP instead of the private,

Look at this:

static (inside,outside) 209.10.194.239 companyftp netmask 255.255.255.255

access-list OUTSIDE extended permit tcp any host companyftp object-group ftpservice

The access list should go like this

access-list OUTSIDE extended permit tcp any host 209.10.194.239 object-group ftpservice

For hosts trying to access the server from the outside.

Hope this helps.

Mike

why no incoming traffic at all

yijunzhou — Thu, 16 Jun 2011 13:49:07 GMT

Yes. you are expert!!!. Mike.

One more problem about vpn configuration:

After vpn user - say vpnuser1 logged in vpn, I do see user's attributes (vpnuser1_ONLY )override group policy( GroupPolicy1), however, vpnuser1 was unable to access anything in inside and one single remote host.

Thank you for help.

Yijun

why no incoming traffic at all

Maykol Rojas — Fri, 17 Jun 2011 00:36:03 GMT

Hello,

What you call vpnuser1_ONLY is just a vpn filter, is not a group policy. That being said only what is here:

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host dev28 object-group tcp_for_28 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host QuickBooks object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 object-group mailslist object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host XP object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host N92 eq ssh log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host companynmr eq ssh log

Would be the things that the VPN client can connect to, no other traffic would be permitted.

Cheers!

Mike

why no incoming traffic at all

yijunzhou — Fri, 17 Jun 2011 01:49:53 GMT

Hello Mike,

Sorry for the confusion. I should this is 2nd issue other than no incoming traffic.....

what happen is after vpnuser1 logged in vpn, he cannot access any internal host as expected.

Thank you for help.

Regards,

Yijun

why no incoming traffic at all

Maykol Rojas — Fri, 17 Jun 2011 02:12:08 GMT

Hello Yujin,

Dont worry, I am glad to help. Not quite a VPN expert, but based on the configuration, I think you can only access what is explicitly allowed on the following access list

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host dev28 object-group tcp_for_28 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host QuickBooks object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 object-group mailslist object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host XP object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host N92 eq ssh log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host companynmr eq ssh log

If you are not even able to access what you explicitly permitted on this ACL, please go ahead and start the logs on the ASA firewall, connect a VPN client, try to send traffic and paste the logs over here, I will be more than glad to help.

Mike

why no incoming traffic at all

yijunzhou — Fri, 17 Jun 2011 15:31:53 GMT

Hello Mike,

I really appreciate your kind help. I am pretty new to Cisco ASA, we use checkpoint before. The following is the log I caught after vpnuser1 logged in from public IP 66.167.16.82:

ciscoasa# show conn all

5 in use, 71 most used

UDP outside 66.167.16.82:63523 NP Identity Ifc 209.10.194.194:443, idle 0:00:03, bytes 15847, flags -

TCP outside 66.167.16.82:49247 NP Identity Ifc 209.10.194.194:443, idle 0:00:02, bytes 1487, flags UOB

ciscoasa# show vpn-sessiondb

Active Session Summary

Sessions:

Active : Cumulative : Peak Concurrent : Inactive

SSL VPN : 1 : 3 : 1

Clientless only : 0 : 0 : 0

With client : 1 : 3 : 1 : 0

Email Proxy : 0 : 0 : 0

IPsec LAN-to-LAN : 0 : 0 : 0

IPsec Remote Access : 0 : 0 : 0

Totals : 1 : 3

License Information:

IPsec : 25 Configured : 25 Active : 0 Load : 0%

SSL VPN : 2 Configured : 2 Active : 1 Load : 50%

Active : Cumulative : Peak Concurrent

IPsec : 0 : 0 : 0

SSL VPN : 1 : 3 : 1

AnyConnect Mobile : 0 : 0 : 0

Linksys Phone : 0 : 0 : 0

Totals : 1 : 3

Tunnels:

Active : Cumulative : Peak Concurrent

Clientless : 1 : 3 : 1

SSL-Tunnel : 1 : 7 : 1

DTLS-Tunnel : 1 : 8 : 1

Totals : 3 : 18

Active NAC Sessions:

No NAC sessions to display

Active VLAN Mapping Sessions:

No VLAN Mapping sessions to display

ciscoasa# show vpn-sessiondb svc

Session Type: SVC

Username : vpnuser1 Index : 4

Assigned IP : 192.168.6.1 Public IP : 66.167.16.82

Protocol : Clientless SSL-Tunnel

License : SSL VPN

Encryption : RC4 Hashing : SHA1

Bytes Tx : 2485998 Bytes Rx : 80017

Group Policy : GroupPolicy1 Tunnel Group : L5MVPN

Duration : 0h:17m:59s

Inactivity : 0h:00m:00s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

The following are logs caught:

2 Jun 17 2011 09:27:26 106006 192.168.6.1 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

2 Jun 17 2011 09:27:13 106006 192.168.6.1 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

6 Jun 17 2011 09:27:13 302016 192.168.14.2 62567 209.10.194.194 443 Teardown UDP connection 10276 for outside:192.168.4.2/62567 to identity:209.10.194.194/443 duration 0:02:01 bytes 99

2 Jun 17 2011 09:27:12 106006 192.168.6.1 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

2 Jun 17 2011 09:26:39 106006 192.168.6.1 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

6 Jun 17 2011 09:26:39 722022 Group User IP <66.167.16.82> UDP SVC connection established without compression

5 Jun 17 2011 09:26:39 722033 Group User IP <66.167.16.82> First UDP SVC connection established for SVC session.

6 Jun 17 2011 09:26:39 725002 66.167.16.82 63523 Device completed SSL handshake with client outside:66.167.16.82/63523

6 Jun 17 2011 09:26:39 725003 66.167.16.82 63523 SSL client outside:66.167.16.82/63523 request to resume previous session.

6 Jun 17 2011 09:26:38 725001 192.168.14.2 63523 Starting SSL handshake with client outside:192.168.4.2/63523 for DTLSv1 session.

6 Jun 17 2011 09:26:38 302015 192.168.14.2 63523 209.10.194.194 443 Built inbound UDP connection 10282 for outside:192.168.4.2/63523 (192.168.4.2/63523) to identity:209.10.194.194/443 (209.10.194.194/443)

6 Jun 17 2011 09:26:38 725001 66.167.16.82 63523 Starting SSL handshake with client outside:66.167.16.82/63523 for DTLSv1 session.

6 Jun 17 2011 09:26:38 302015 66.167.16.82 63523 209.10.194.194 443 Built inbound UDP connection 10281 for outside:66.167.16.82/63523 (66.167.16.82/63523) to identity:209.10.194.194/443 (209.10.194.194/443)

6 Jun 17 2011 09:26:38 722023 Group User IP <66.167.16.82> UDP SVC connection terminated without compression

6 Jun 17 2011 09:26:38 725007 66.167.16.82 62181 SSL session with client outside:66.167.16.82/62181 terminated.

6 Jun 17 2011 09:26:38 302016 66.167.16.82 62181 209.10.194.194 443 Teardown UDP connection 10278 for outside:66.167.16.82/62181 to identity:209.10.194.194/443 duration 0:00:41 bytes 10480

2 Jun 17 2011 09:26:35 106006 192.168.6.1 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

2 Jun 17 2011 09:26:22 106006 192.168.6.1 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

6 Jun 17 2011 09:26:22 110002 192.168.6.1 62874 Failed to locate egress interface for UDP from outside:192.168.6.1/62874 to 239.255.255.250/1900

2 Jun 17 2011 09:26:21 106006 192.168.6.1 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

2 Jun 17 2011 09:26:20 106006 192.168.6.1 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside,,

6 Jun 17 2011 09:26:19 302014 66.167.16.82 49246 209.10.194.194 443 Teardown TCP connection 10277 for outside:66.167.16.82/49246 to identity:209.10.194.194/443 duration 0:00:29 bytes 1303 TCP Reset-O,,

2 Jun 17 2011 09:26:19 106006 192.168.6.1 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside,,

5 Jun 17 2011 09:26:19 722028 Group User IP <66.167.16.82> Stale SVC connection closed.,,

6 Jun 17 2011 09:26:19 725007 66.167.16.82 49246 SSL session with client outside:66.167.16.82/49246 terminated.,,

6 Jun 17 2011 09:26:19 734001 DAP: User vpnuser1, Addr 66.167.16.82, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy

4 Jun 17 2011 09:26:19 722051 Group User IP <66.167.16.82> Address <192.168.6.1> assigned to session,,

6 Jun 17 2011 09:26:19 722022 Group User IP <66.167.16.82> TCP SVC connection established without compression,,

5 Jun 17 2011 09:26:19 722032 Group User IP <66.167.16.82> New TCP SVC connection replacing old connection.,,

6 Jun 17 2011 09:26:19 725002 66.167.16.82 49247 Device completed SSL handshake with client outside:66.167.16.82/49247,,

6 Jun 17 2011 09:26:19 725001 66.167.16.82 49247 Starting SSL handshake with client outside:66.167.16.82/49247 for TLSv1 session.,,

6 Jun 17 2011 09:26:19 302013 66.167.16.82 49247 209.10.194.194 443 Built inbound TCP connection 10280 for outside:66.167.16.82/49247 (66.167.16.82/49247) to identity:209.10.194.194/443 (209.10.194.194/443),,

2 Jun 17 2011 09:26:18 106006 192.168.6.1 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside,,

2 Jun 17 2011 09:26:10 106006 192.168.6.1 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

Regards,

Yijun

why no incoming traffic at all

Maykol Rojas — Fri, 17 Jun 2011 17:53:13 GMT

Hello Yijun

Thanks for the logs, the only traffic that I can see from the host 192.168.6.1 is NetBios traffic, that is pretty much it, I dont see any tcp connections or you trying to access any internal resources, can you gather the logs when you try a tcp connection to a resource on the inside?

Mike

why no incoming traffic at all

yijunzhou — Fri, 17 Jun 2011 18:01:36 GMT

Hi Mike,

Sorry I am pretty new to cisco ASA, I though it was the all logs. Would you please guide me through how to enable detail log and how to grub it?

Thanks,

Yijun

why no incoming traffic at all

Maykol Rojas — Fri, 17 Jun 2011 18:09:14 GMT

Hey,

Yes they are, these, the ones you took

2 Jun 17 2011 09:27:26 106006 192.168.6.1 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

2 Jun 17 2011 09:27:13 106006 192.168.6.1 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

However, I cannot see any TCP traffic, would you please connect again, and try to access a server on the inside via, I dont know RDP or something you have allow?

Mike

why no incoming traffic at all

yijunzhou — Fri, 17 Jun 2011 21:10:54 GMT

Hi Mike,

authentication and authorization are both successful.

6 Jun 17 2011 14:53:01 113004 AAA user authorization Successful : server = LOCAL : user = vpnuser1

6 Jun 17 2011 14:53:01 113004 AAA user authentication Successful : server = 192.168.5.5 : user = vpnuser1

Then lots of denial:

6 Jun 17 2011 14:54:11 302014 66.167.16.82 49993 209.10.194.194 443 Teardown TCP connection 12470 for outside:66.167.16.82/49993 to identity:209.10.194.194/443 duration 0:00:50 bytes 1911061 TCP Reset-O

2 Jun 17 2011 14:54:10 106006 192.168.6.2 137 192.168.6.255 137 Deny inbound UDP from 192.168.6.2/137 to 192.168.6.255/137 on interface outside

Is that's because of routing or NAT issue ( I NATed vpn IP address pool to one public IP to access other remote host - companynmr which opened for restricted public IP only)

nat (inside) 4 vpnpool 255.255.255.0 outside

global (outside) 4 209.10.194.238 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 209.10.194.193 1

route inside companynet51 255.255.255.0 192.168.5.2 1

route inside companynet52 255.255.255.0 192.168.5.2 1

route inside companynet53 255.255.255.0 192.168.5.2 1

route inside companynet81 255.255.255.0 192.168.5.2 1

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host dev28 object-group tcp_for_28 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host QuickBooks object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 object-group mailslist object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host XP object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host N92 eq ssh log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host companynmr eq ssh log

Thanks,

Yijun

why no incoming traffic at all

Maykol Rojas — Sat, 18 Jun 2011 18:44:45 GMT

Hi,

I need you to do a couple of things, first make sure that the host 192.168.5.3 is turned on and that it has RDP enable, then connect a VPN client and finally try to connect via RDP to the host 192.168.5.3. I need you to collect the logs from that connection, you can do it like you have been doing so far or by doing the following:

Go to monitoring---->Logging---->View

On the filter, put the IP address of the RDP host (192.168.5.3)

Then start the connection and see the logs

Other would be this one

Logging Buffered 7

Logging on

Then try to connect via RDP

Then issue the command show log | inc192.168.5.3

Let me know how it goes.

Mike

why no incoming traffic at all

yijunzhou — Thu, 23 Jun 2011 21:32:46 GMT

hi, mike,

my vpn configuration works. However, there is another problem: i was not able to let internal host goes to interne and coming back to access another host on different internal vlan.

object-group service mailservice tcp

port-object eq https

port-object eq smtp

nat (inside) 6 192.168.4.0 255.255.255.0

global (outside) 6 xx.xx.xx.201 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.206 192.168.3.136 netmask 255.255.255.255

access-list INSIDE extended permit ip 192.168.4.0 255.255.255.0 any

access-list OUTSIDE extended permit tcp any host xx.xx.xx.206 object-group mailservice log

same-security-traffic permit intra-interface

The machine 192.168.4.15 was able access anywhere internet but not https://xx.xx.xx.206.

Can you help me identify the problem?

Thanks,